Buggy WordPress Plugin Disclose Twitter Users Access Tokens

Thursday, 17 January 2019

Researcher found a popular WordPress Plugin called Social Network Tab is leaking linked Twitter account access tokens and accounts access keys in its source code which is leading to a takeover of the Twitter account.

The bug identified as CVE-2018-20555 has been found by a French security researcher named Baptiste Robert going with the twitter handle Elliot Alderson. These access tokens are used to login the account without any passwords.

Initially to check the bug, Baptiste used Publicwww site to search the vulnerable code and found 539 vulnerable sites. For proof-of-concept he wrote a code which gathers all the access tokens from affected websites.

Researcher pointed out there was couple of verified twitter accounts too in the affected account lists.

Baptiste had reported the issue to Twitter on December 1, prompting twitter to revoke the keys for account security.
Regarding this type of issues (access tokens related) Twitter have already mentioned some security measures that users should follow. Users should check to which apps they have given permission and if there is unwanted apps they should revoke the access to the apps.